At WP Engine we aim to offer the fastest and most secure WordPress hosting environment for your website. There are a handful of plugins that we’ve noted can cause various security or performance issues on your site. Our goal is to keep your site running smoothly, so for this reason we’ve made certain plugins disallowed. If you have one of these plugins, you’ll be notified and the plugin will eventually be removed from your site. We’ve broken these plugins down into groups to provide some context as to why they cannot be used.

Caching Plugins

Caching plugins can conflict with our platform’s built-in caching structure. These plugins are known to cause direct conflicts and would ultimately impact your site’s ability to load if used:

WP Super Cache

WP File Cache

W3 Total Cache

Many of the caching features these plugins offer we have built-in to our servers by default as part of your managed WordPress hosting experience. We have your back- don’t worry!

Backup Plugins

We discourage the use of backup plugins as they needlessly bloat your site and can store files in an insecure way. Many of these plugins also run their backup jobs at inopportune times, slowing down MySQL queries and even causing timeouts on your site.

The following backup solutions are disallowed plugins:

WP DB Backup — Needlessly bloats your site’s local storage.

WP DB Manager — .htaccess protection is recommended, but local storage usage is the major concern as it only offers a local storage option.

BackupWordPress — Duplicates a large number of files on local storage that are already in our backups.

VersionPress — In order to function this plugin needs access to server level functions that we disallow for security reasons.

We take nightly backups of all WordPress websites hosted with us. These are done in an efficient, automated manner and the data is kept securely on a separate server from your WordPress install. Our automated backups do not count towards any plan local storage limits and we make these backups available for you to restore, copy or download as-needed.

If you feel more secure with a secondary, off-site backup, we permit VaultPress on our servers.

Server & MySQL Thrashing Plugins

These plugins we disallow because they either cause a high load on the server or create an excessive number of database queries. They will directly impact server load and ultimately hinder your site’s performance.

Broken Link Checker — Overwhelms the server with a very large amount of HTTP requests

MyReviewPlugin — Slams the database with a significant amount of writes.

LinkMan — Much like the MyReviewPlugin above, LinkMan utilizes an unscalable amount of database writes.

Fuzzy SEO Booster — Causes MySQL issues as a site scales up.

WP PostViews — Inefficiently writes to the database on every page load.

Tweet Blender — Does not interact well with caching and can cause increased server load.

To track traffic in a more scalable manner, both the stats module in Automattic’s Jetpack plugin and Google Analytics work great.

We recommend that you use one of the following tools to check your site for broken links. As they are not plugins these will not have a negative effect on your site’s performance.

Bad Behavior — This plugin attempts to block a number of hosts that we already disallow.

Email Plugins

Just because you are able to send emails with WordPress, that doesn’t always mean you should. We want our customers to experience the same best-in-class experience with email as we provide with web hosting, so we recommend using a 3rd party service. Specialized services like MailChimp, Constant Contact, AWeber and countless others offer complete email solutions for your business and will provide you with optimal results.

If your domain’s email provider offers its own SMTP server, you are welcome to configure that as your outgoing server. Be sure to check with your email provider about their bulk mail, opt-in mail and anti-spam policies before doing so.

We have disallowed the following email plugin, as it allows you to send email blasts with WordPress.

Miscellaneous Plugins

WP phpMyAdmin — Disallowed due to a fairly major security issue. We also offer phpMyAdmin access without a plugin from your User Portal.

Sweet Captcha — After our partners at Sucuri revealed that the Sweet Captcha service was used to distribute adware, we have decided to follow the WordPress Plugin Repo’s lead and ban the plugin outright.

EWWW Image Optimizer – While the original version can cause stress on the server to the point of negative impact, the Cloud version of the plugin located here is a great alternative that offloads the computing to the Cloud.

Digital Access Pass (DAP) — While we do not actively remove this from sites, please be aware that it will not work properly on our platform due to its use of PHP Sessions and System-level crons. Instead, we recommend using one of the other highly-rated Membership plugins like Paid Memberships Pro, Restrict Content, or S2Member.

Additional Scripts

Some frequently used scripts are known to contain security vulnerabilities. Our platform scans the files system periodically to identify and either patch or remove these scripts.

TimThumb — Older versions of TimThumb are known to contain vulnerabilities. When our system scan identifies an older version, it will automatically update the script. After the upgrade has been completed, the system will notify you by email.

Uploadify — Access to this script is blocked due to known security threats. The reasoning behind this was largely informed by this blog post from our partners at Sucuri.

Complete List of Disallowed Plugins

These are the files and folders that we explicitly searching for when we scan for disallowed plugins. You can compare this against your wp-content/plugins/ directory to check for conflicts.

Why We Disallow

By no means are we suggesting any of these disallowed plugins are “bad” plugins. Some of them, like related posts plugins, can be great for content discoverability. As your managed WordPress host however, our primary concern is to provide the fastest and most secure WordPress hosting experience we can. These plugins have proven that they will negatively impact performance or security on our platform and we’ve made the decision to prevent their use.

As for insecure plugins, we try to work with the plugin developer to have them corrected. During that time the plugin may temporarily be added to our disallowed list and we’ll happily allow it again once the issue has been addressed.

If you have any questions about these disallowed plugins, or feel a recent update to a plugin has been put forth to correct the issue we’ve banned it for, please contact our Support team.

WordPress Help

Share

Share:

Contact the WP Engine Support Team

In order to get expert one-on-one help, please log into your account so we can identify your account and get you exactly the help you need. We offer support 24 hours a day, 7 days a week, 365 days a year.